SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
1 Nov 2016

Google discloses critical Windows vulnerability that makes all Windows users vulnerable

Google has once again publicly disclosed a zero-day vulnerability in current versions of Windows operating system before Microsoft has a patch ready.

Yes, the critical zero-day is unpatched and is being used by attackers in the wild. Google made the public disclosure of the vulnerability just 10 days after privately reporting the issue to Microsoft, giving the chocolate factory little time to patch issues and deploy a fix.

According to a blog post by Google's Threat Analysis Group, the reason behind going public is that it has seen exploits for the vulnerability in the wild and according to its internal policy, companies should patch or publicly report such bugs after seven days. The zero-day is a local privilege escalation vulnerability that exists in the Windows operating system kernel. If exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised system.

The flaw "can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD," Google's Neel Mehta and Billy Leonard said in a blog post. 

"Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability." The blog post also notes that Google reported a zero-day flaw (CVE-2016-7855) in Flash Player to Adobe at the same time as it contacted Microsoft. Adobe pushed an emergency patch for its software last Wednesday.

The Flash Player bug was also being exploited in the wild against organizations in targeted attacks. According to Adobe, the flaw affected Windows 7, 8.1 and 10 systems. Since the Windows zero-day vulnerability is being actively exploited in the wild, Google shared only basic details about the bug on Monday.

Microsoft has yet to Rolled out a Fix

Needless to say, Microsoft is not at all happy about the disclosure. In response, Microsoft said Google's disclosure has potentially placed customers at risk, adding that the company believes in coordinated vulnerability disclosure.

"We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk," a Microsoft spokesperson said in a statement. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

Microsoft has not provided any details as to when the company will roll out a fix for the flaw. This is not the very first time that Google and Microsoft have been at odds over vulnerability disclosure. Microsoft has a long history of bungling patches, so the move could eventually lead the company into quickly rolling out an update. Meanwhile, users are advised to update their Flash software now and apply Windows patches as soon as they become available.

Tags:
Windows information leaks
Source:
The Hacker News
1901
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015